DOD: Hackers Breached U.S. Critical Infrastructure Control Systems

Defense secretary Leon Panetta says cyberattacks against critical infrastructure at home and abroad--some of which he called the worst to date--should spark urgent action against the hacker threat.

14 Amazing DARPA Technologies On Tap

(click image for larger view and for slideshow)

Hackers have infiltrated the control systems of U.S. critical infrastructure--systems that operate chemical, electricity, and water plants--and the need to develop new cyber capabilities and put in place effective policy to fight and deter attacks is as urgent as ever, secretary of Defense Leon Panetta said in a speech Thursday night.

"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said in a speech to the Business Executives for National Security in New York City. "We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."

In his remarks, Panetta confirmed several recent cyber attacks against Saudi and Qatari energy companies that used the sophisticated Shamoon virus, calling the attacks "the most destructive that the private sector has seen to date." As Panetta noted, the Shamoon attacks "virtually destroyed" 30,000 computers owned by the Saudi oil company Aramco. "Imagine the impact an attack like that would have on your company or your business," he added.

Warning of more destructive attacks that could cause loss of life if successful, Panetta urged Congress to pass comprehensive legislation in the vein of the Cybersecurity Act of 2012, a bill co-sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., that failed to pass in its first attempt earlier this year by losing a cloture vote in the Senate.

"Congress must act and it must act now," he said. "This bill is victim to legislative and political gridlock like so much else in Washington. That frankly is unacceptable and it should be unacceptable not just to me, but to you and to anyone concerned with safeguarding our national security."

Specifically, Panetta called for legislation that would make it easier for companies to share "specific threat information without the prospect of lawsuits" but while still respecting civil liberties. He also said that there must be "baseline standards" co-developed by the public and private sector to ensure the cybersecurity of critical infrastructure IT systems. The Cybersecurity Act of 2012 contained provisions that would arguably fit the bill on both of those accounts.

While Panetta said that "there is no substitute" for legislation, he noted that the Obama administration has been working on an executive order on cybersecurity as an end-around on Congress. "We need to move as far as we can" even in the face of Congressional inaction, he said. "We have no choice because the threat that we face is already here."

He added that the DOD has three priorities for improving its own ability to combat cyber attacks: investing more than $3 billion annually in cybersecurity to develop new capabilities, including recruiting and training new cyber warfare soldiers and developing new systems and techniques; pushing forward with new policy, including new cyber rules of engagement that are close to being finalized; and working ever closer with the private sector and other parts of government.

Although Panetta may have urged further action, he was also quick to point out that some gains have been made. For example, he said that the military had developed "the world's most sophisticated system to detect cyber intruders and attackers" and that other agencies had also stepped up to the plate.

I though that these particular infrastructure were, or definitely should be, impenetrable by security breeches. These plants are our electric, water and various other necessities that we as Americans use on a daily basis. You can bet your bottom dollar that these services go down for any reason it would cause mass panic and no doubt there would be people hurt within the panic that takes place. These precautionary measures and disaster recovery plans need to put into play way before one of these actual attacks occurred. If hackers can gain access to and actual gain control of these systems for the sole purpose of causing disaster, then what is next?

I have never read anything which referred to SCADA equipment as being anything other than interconnected permitting control from a distance (in other words they must transfer data between themselves using known methods). The concept of the SmartGrid itself is founded on interconnectivity and independence being able to regulate services on environmental conditions. Think of your water and electrical meters that now transmit consumption to the central office without the "meter readers" making their rounds but also smart houses where your appliances can be controlled through the internet and as usual the focus is on convenience and cost reduction not security in development. Anonymous and similar groups may now focus on nuisance DDoS activity, but as there is a market for avoiding telephone usage fees (Magic Jack) there will be a market for solutions to reduce or eliminate energy and utilities consumption.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.